WEBVTT

00:00.000 --> 00:14.440
This is Hacker Public Radio episode 3,877 for Tuesday the 13th of June 2023.

00:14.440 --> 00:19.760
Today's show is entitled, Keep His Exxy Audit Review.

00:19.760 --> 00:25.200
It is hosted by some guy on the internet, and is about 43 minutes long.

00:25.200 --> 00:27.840
It carries a clean flag.

00:27.840 --> 00:29.520
The summary is.

00:29.520 --> 00:41.040
Let's go to discuss as the Keep His Exxy Audit by Zorma Lothnikov.

00:41.040 --> 00:46.200
Hello and welcome to another episode of Hacker Public Radio, I'm your host, some guy on

00:46.200 --> 00:47.200
the internet.

00:47.200 --> 00:54.080
Today we're going to be talking about Keep His Exxy, specifically the audit of Keep His Exxy

00:54.080 --> 01:04.920
Version 2.7.4, and the release after the audit of Keep His Exxy 2.7.5.

01:04.920 --> 01:05.920
Let's begin.

01:05.920 --> 01:14.000
Keep His Exxy Version 2.7.4 was released on the 29th of October, 2022.

01:14.000 --> 01:19.840
Let me be clear, I'll be covering the good new Linux version of Keep His Exxy, I used

01:19.840 --> 01:21.400
the app image.

01:21.400 --> 01:26.520
So if you're using Windows or Mac OS, there may be bug fixes related to your version

01:26.520 --> 01:28.200
that I may not cover here.

01:28.200 --> 01:34.600
There were a number of minor fixes in the 2.7.4 release, such as they fixed the clicking

01:34.600 --> 01:40.600
links in the entry preview panel, fixed the display of passwords in the preview panel,

01:40.600 --> 01:41.960
and things that add nature.

01:41.960 --> 01:47.520
So we're just going to sum that up to like quality of life improvements, or minor bug fixes

01:47.520 --> 01:48.520
yet.

01:48.520 --> 01:52.560
Still a great release, and I'm happy that they got the code audit.

01:52.560 --> 01:58.680
So on the 15th of April, 2023, Keep His Exxy sent out the audit report.

01:58.680 --> 02:03.520
I received a mine via RSS using the Thunderbird email client.

02:03.520 --> 02:08.760
And keep His states in the release that they wanted to have this audit since the beginning

02:08.760 --> 02:13.680
over 6 years ago, and they're happy to finally release an audit.

02:13.680 --> 02:21.200
It was completed on the 19th of January, 2023, so after the completion of the audit, obviously

02:21.200 --> 02:25.960
you want to go ahead and make as many changes as you can, to improve the product based

02:25.960 --> 02:30.760
on the information release through the audit, get an update out, and then release the

02:30.760 --> 02:32.640
audit, or release them together.

02:32.640 --> 02:38.000
Now, they report that the audit was conducted free of charge for the Keep His Exxy team.

02:38.560 --> 02:43.760
And it gives a few little snippets from the audit in the RSS feed, but I'm going to go

02:43.760 --> 02:48.200
directly to the audit itself because they link to it in the RSS, so let's go over that

02:48.200 --> 02:49.200
audit.

02:49.200 --> 02:55.040
Now, pardon me, if our butcher the name here, but the author of the Keep His Exxy audit,

02:55.040 --> 03:02.200
his name is Zara, Malat Nikoff, I'm just going to call him Zara for now now, to keep things

03:02.200 --> 03:03.200
simple.

03:03.200 --> 03:08.080
And again, I apologize if I butcher the name, I have links down in the show notes to

03:08.080 --> 03:09.800
all things mentioned here in the show.

03:09.800 --> 03:14.920
I'm going to just read a little bit from the top, sort of like that disclaimer, quote,

03:14.920 --> 03:21.440
this document isn't independent security review of the Keep His Exxy password manager,

03:21.440 --> 03:30.920
version 2.7.4 of functionality, and central source code parts by me, Zara, security consultant

03:30.960 --> 03:36.520
with applied security and applied cryptography basics knowledge.

03:36.520 --> 03:44.120
See my CV here, close quote, so he goes to explain that his interest in doing the audit

03:44.120 --> 03:49.440
for Keep His Exxy was there wasn't one, or at least not a recent one.

03:49.440 --> 03:54.960
He gives a nice little disclaimer saying that no one paid him or encouraged him to provide

03:54.960 --> 03:55.960
the audit.

03:55.960 --> 04:02.560
And follows up with quote, this review is not a recommendation or endorsement, close quote.

04:02.560 --> 04:07.400
So if you're choosing to use Keep His Exxy, you're doing so of your own volition.

04:07.400 --> 04:09.400
Do so at your own risk.

04:09.400 --> 04:15.400
Now one of the things that he points out very early in the summary, he says that Keep His

04:15.400 --> 04:21.120
Exxy provides sufficient cryptographic protection, and he labels what's normally referred

04:21.120 --> 04:26.560
to as the CIA, confidentiality, integrity, and authenticity.

04:26.560 --> 04:32.360
So long as you're using a strong passphrase and the confidential random key file, now

04:32.360 --> 04:37.260
add you with that, you should be using the latest database file as well, those are like

04:37.260 --> 04:38.260
the caveats.

04:38.260 --> 04:45.160
And remember, this audit was performed on Keep His Exxy version 2.7.4, he also points out

04:45.160 --> 04:51.760
in the beginning, or near the top of the article, ideally the application should warn on

04:51.760 --> 04:58.520
use of insecure formats and suggest ways to migrate to the newest format, and he talks

04:58.520 --> 05:06.040
about how an attacker could attempt to swap the newer database with an older database and

05:06.040 --> 05:12.160
an attempt to gain access to the user's credentials, so there should be a warning there.

05:12.160 --> 05:18.120
The report goes further explaining how Keep His Exxy could store which latest version

05:18.120 --> 05:25.240
of the database was used by the user and spot undesired substitutions of the Keep His Exxy

05:25.240 --> 05:26.240
database.

05:26.240 --> 05:33.760
I like the statement here where he says, quote, Keep His Exxy is written well and exercises

05:33.760 --> 05:40.480
defensive coding techniques, or excuse me, defensive coding sufficiently, close quote, now

05:40.480 --> 05:46.240
we start to get a little scary in the next statement here, oh my, quote, the memory

05:46.240 --> 05:53.520
deallocation could be improved to not contain secrets after the database is locked, close

05:53.520 --> 06:00.400
quote, oh my goodness, memory deallocation, you mean I'm a victim here, is using Keep His Exxy

06:00.400 --> 06:03.000
making me a victim to memory deallocation?

06:03.000 --> 06:10.080
Gah, ha, ha, yikes, that's scary, I really hope Keep His works on that, we're going to

06:10.080 --> 06:16.800
go over the release notes for the 2.7.5 release which followed this audit and may even reach

06:16.800 --> 06:19.720
out to the Keep His Exxy team in time.

06:19.720 --> 06:27.080
Zara also mentions best practice for the key files that keep His Exxy generates for additional

06:27.080 --> 06:34.400
authenticity, stating that the key files must not be accessible to potential attackers.

06:34.480 --> 06:42.240
Personally, I use my key file a lot like a UB key, I have it stored on to a USB thumb drive,

06:42.240 --> 06:47.280
that thumb drive is encrypted, I inserted into the PC when they're rumble about to unlock

06:47.280 --> 06:52.240
my key pass X speed database, I have the first unlock the thumb drive and inside of the

06:52.240 --> 06:59.360
Keep His Exxy program, there's a link to where the file is located, which is on the thumb drive

06:59.440 --> 07:06.240
once it's inserted and decrypted, the link will match up and then I can put in my pass phrase,

07:06.240 --> 07:10.960
which matches with the key file to authenticate the session.

07:10.960 --> 07:17.280
After it is authenticated, I'm able to then remove the thumb drive from the PC, continue with

07:17.280 --> 07:23.280
my session until I'm done, lock the session, close Keep His Exxy, we're good to go.

07:23.280 --> 07:29.680
His stays that is review focuses on the core features of Keep His Exxy, focusing mainly on

07:29.680 --> 07:36.880
the database reading and writing features, and the cryptography use, stating quote,

07:36.880 --> 07:42.640
I could discover no major problems, close quote, while I wish you would have said that the first

07:42.640 --> 07:47.840
time because I almost had a heart attack with that memory deallocation. Now here's an important

07:47.840 --> 07:55.600
tidbit in the summary, he mentions the sections of the codebase he was unable to it audit at the time

07:55.600 --> 08:03.680
and he lists them here, TLTP, SSH agent, browser plugin communication, the auto type feature,

08:03.680 --> 08:11.920
key share password share mechanism, free desktop integration, HIBP support, and database statistics

08:11.920 --> 08:16.720
feature. He mentioned that these features could be subject for the next audit,

08:16.720 --> 08:24.560
once again giving a reminder that the audit only covers the core features of Keep His Exxy 2.7.4

08:24.560 --> 08:32.560
as of December 2022 completed in January 2023. That's it for the summary, we're now going to move

08:32.560 --> 08:40.080
into the detailed review quote, Keep His Exxy is a relatively complex application written in

08:40.160 --> 08:47.760
C++ programming language using the QT framework, close quote, and it gives other details about

08:47.760 --> 08:59.280
how, you know, the codebase is approximately 127,000 lines, and that's excluding the libraries.

08:59.840 --> 09:05.920
Now normally when you have big boy code like that, it's easy for a few bits to get a little messy,

09:05.920 --> 09:13.200
little jumbled up, you know, bugs in the sort, but then he says these sweet words, quote, yet,

09:13.200 --> 09:19.520
as the code is well structured, it was possible to review the core functionality independent of

09:19.520 --> 09:24.800
the rest of the code, close quote, so that's like that that chef's kiss right there, you know,

09:24.800 --> 09:31.920
even though this is a massive workload I got to look over, it's nice and clean. He speaks more about

09:32.000 --> 09:38.560
focusing his review on parts of the code relevant to encryption and storage of confidential information

09:38.560 --> 09:44.320
and the core functionality of the Pro of the password manager. Oh, in this next piece,

09:44.320 --> 09:49.760
we're just going to sprinkle some love on top. I love this part. He talks about how,

09:49.760 --> 09:56.160
in his professional practice, he's learned that the problem isn't usually the password

09:56.240 --> 10:03.280
manages themselves, is that people aren't using them enough or they're not using them properly.

10:03.280 --> 10:09.600
Like when we discussed having the key file, the random key file generated by key past XC,

10:09.600 --> 10:15.520
not storing that on disk where the attacker could have access to it, and other things like not

10:15.520 --> 10:22.000
using the updated database file, you know, remaining on older versions of the database file,

10:22.000 --> 10:27.680
while using a newer version of the key past XC application itself. Yeah, they don't know there.

10:27.680 --> 10:33.280
That's not good. He's saying that's not what he's used to seeing. He's seeing people just

10:33.280 --> 10:40.000
not using it as it was intended or as it should be intended. He talks about how the application

10:40.000 --> 10:47.200
interface is quote, appealing and recommendable. Thus, my motivation to look under the hood and

10:47.200 --> 10:53.520
know if it provides protection, that I correct them in as well. Close quote, see that just little

10:53.520 --> 11:00.960
little sprinkles of love right on top. Here's a nice statement from ZAR quote, I focus on a particular

11:00.960 --> 11:08.240
scenario to also be able to consider the most central protection properties of the password manager

11:08.240 --> 11:15.200
and not to deviate on other various and general attacks on computing as a whole. Like side channel

11:15.200 --> 11:21.520
attacks on cipher implementations. Close quote, so he's just showing you that he keeps a nice

11:21.520 --> 11:28.960
tidy scope while going through this audit. quote, the user will use the password manager on a

11:28.960 --> 11:36.320
trustworthy computer. The resulting encrypted password database, if presented to an attacker in an

11:36.320 --> 11:44.000
encrypted fashion, should be protected reasonably using cryptography selected by the password manager.

11:44.080 --> 11:51.680
In the course of the review, I explain and sometimes extend a little this context. Close quote,

11:51.680 --> 11:58.640
this is like that floor. We need to set, you know, where standards are the floor. We won't go any

11:58.640 --> 12:04.480
lower than this and what he's basically saying here is look. We're not talking about a computer that's

12:04.480 --> 12:12.320
already compromised here, right? You need to have a clean OS and hardware and that's where we're

12:12.400 --> 12:20.480
basing all of the review going for. quote, I leave out of scope scenarios when the host may run

12:20.480 --> 12:28.000
not trustworthy operating systems or with a host can be not trustworthy as hardware. Be subject to an

12:28.000 --> 12:34.080
environmental attack, e.g. side channel attacks, these attacks although realistic,

12:34.800 --> 12:42.000
challenge not only the password manager, but the software with the passwords are going to be used

12:42.400 --> 12:50.480
for example, browsers close quote. So given some examples of the attack surface, not only the operating

12:50.480 --> 12:56.880
system, but you know, many password managers have browser integration, so that's also a part of your

12:56.880 --> 13:05.600
attack surface and the browser lets face it. That's that and if you have an email client, those are

13:05.600 --> 13:10.960
areas where you're most likely going to be getting your malware. Browser's a designer go

13:10.960 --> 13:18.160
slip through the muck of the internet and do it daily. So I definitely understanding his need to

13:18.160 --> 13:23.600
narrow that scope and put everybody in a proper perspective because criticisms will come out in the

13:23.600 --> 13:30.560
future and begin to introduce all of these varying scenarios where the attack could come from this or

13:30.640 --> 13:37.200
that angle is good to give us all proper perspective. Quote, key pass XC supports integration with

13:37.200 --> 13:42.320
browser extensions. The communication between the password manager application and the browser

13:42.320 --> 13:50.080
extensions is implemented using secure and modern Libsodium style encryption. A personally trust

13:50.080 --> 13:56.480
this cryptography choice and salute the use of encryption to communicate with the browser's

13:56.560 --> 14:03.760
extensions. Close quote, Libsodium sounds like something an internet doctor would tell you to stay away from.

14:04.800 --> 14:09.840
Oh, oh, here's one of those scary parts coming up right now. Go ahead and pull your covers over

14:09.840 --> 14:18.080
your heads guys. Quote, it is worth noticing though that being secure, Libsodium encryption is not

14:18.560 --> 14:28.480
prescribed by standards like FIPs as of now. Close quote, even though I don't know who the FIPs

14:28.880 --> 14:33.520
which is going to call them Fips. I don't know who Fips are at this moment but I'm going to look

14:33.520 --> 14:41.600
them up and then I'm going to issue a obligatory good heavens because they don't approve our

14:41.600 --> 14:48.240
standards and we're using them. Quote, thus when using key pass XC in a high secure environment where

14:48.240 --> 14:55.040
standardization of cryptography is mandated, I would recommend against the use of browser extensions.

14:55.040 --> 15:01.680
For private use in my opinion, this is a very good choice of encryption. Close quote, I personally

15:01.680 --> 15:08.160
pride myself on the limited use of browser extensions. Right now and I have one that I just can't

15:08.160 --> 15:15.520
quite get away from. It is the Firefox multi account containers. But I'll talk about that another

15:15.520 --> 15:22.720
day. We're talking about key pass XC in an audit right now. So I definitely understand wanting to limit

15:23.040 --> 15:30.640
your tax surface by not introducing tons of foreign code on different update cycles after being

15:30.640 --> 15:38.080
updated at all. Not to mention your browser may receive audits but the extensions may not. So

15:38.480 --> 15:44.240
you have the variation in update cycles as well as not really being secured. Some of which may

15:44.240 --> 15:51.120
even be proprietary. So if you have free an open source browser, proprietary extensions,

15:51.120 --> 15:59.440
different update cycles, yikes. Quote, cryptography of key pass XC relies on two solid pillars.

15:59.920 --> 16:08.160
First of all, it uses rather standardize KDBX for password database file formats,

16:08.160 --> 16:14.640
which we will review below. Second, to implement the cryptographic primitives,

16:14.640 --> 16:22.720
key pass XC relies on existing crypto library, bontan, bontan, I think it bontan,

16:22.720 --> 16:29.120
making a solid choice for it. Close quote, all right ladies and gentlemen, this is the part where I need to

16:29.120 --> 16:33.840
it to form new things when it get a lot harder to keep up with and I may not be able to quote

16:33.840 --> 16:40.560
as much because we're about to get into the alphabet soup. When we start talking about things like quote

16:41.040 --> 16:55.280
AES 256-CBC and HMAC-SH8256. Close quote, you understand so yeah we're going to be doing a

16:55.280 --> 17:01.440
little bit less quoting now. Not to mention ZAR is going to be flexing his muscles pretty soon,

17:01.440 --> 17:10.400
you know he like our good friend, Clot2, they both speak the language C++. And when you do that

17:10.400 --> 17:18.080
you tend to have conversations in the dialect math. The last person I remember attempting to do that

17:18.080 --> 17:27.360
was black kernel and we all remember what he said. In this next section,

17:27.360 --> 17:36.480
ZAR tells us about the KDBX for database format. He says quote, it is more secure than its predecessor,

17:36.560 --> 17:42.720
and it adds protected stream functionality and authentication to the database encryption.

17:42.720 --> 17:49.520
Close quote, and he recommends it from the older formats. ZAR begins to tell us about his background

17:49.520 --> 17:56.480
as a professional in the encryption world, a professional cryptographer, right super fancy,

17:56.480 --> 18:02.880
pinky in the air, then he goes on a name dropping spree, calling out all the big dogs,

18:02.880 --> 18:09.440
like Stephen Gibson and Matthew D. Green. There are other names I just don't want to butcher them.

18:11.040 --> 18:17.680
I picked the easy ones. But now now all jokes aside, he mentions that he asked them to double check

18:17.680 --> 18:24.560
his work. All right, I'm going to gift you a nice little quote here, quote, long story, very short.

18:24.560 --> 18:32.160
The database file consists of a public header and an encrypted body. The header is not encrypted

18:32.240 --> 18:39.520
and it does not have to be containing only public information. The body is encrypted using

18:39.520 --> 18:48.560
AES 256 bit, CBC encryption, close quote. So as you see, we're getting into that

18:48.560 --> 18:53.280
alphabet soup here. I'm trying to navigate around it, but there's some nice tidbits I have to

18:53.280 --> 18:58.640
keep mentioning in every now and again. He also talks about something that I'm assuming is a little

18:58.640 --> 19:07.600
bit of that professional cryptographer inside baseball, you know, saying that the plain text for AES

19:07.600 --> 19:13.840
are encrypted with Charles 20. I don't know what that means, but I think I like saying it.

19:13.840 --> 19:19.840
I'm going to have to add that to my mastodon profile. Some guy on the internet is encrypted with

19:19.840 --> 19:28.880
Charles 20. After that, this is where he goes into his big brain move here, where he wants to obviously

19:28.880 --> 19:37.040
impress everyone by doing the maths. Well, color me impressed because I'm not going over it.

19:37.040 --> 19:43.360
It's not good for podcasting and I don't feel like taking a bottle of talent, I'll try and

19:43.360 --> 19:48.160
figure it out. But there's this one part I want to go over here really quickly and I'm going to

19:48.240 --> 19:55.520
try to tip to around some of the alphabet soup here, but it's got a little bit of the maths in here.

19:55.520 --> 20:04.000
So, be warned if there are children in the room and you do not want them subject to nerd of the highest

20:04.000 --> 20:13.360
level programming gibberish, pause now. All right, you have been warned, quote, composite key. This is a

20:13.440 --> 20:21.120
Charles 256 hash concentration of hash incoming source keys that are used to protect the database.

20:21.680 --> 20:31.360
Charles 256, open parentheses, Charles 256, open parentheses, passphrase, close parentheses,

20:31.920 --> 20:44.640
plus, Charles 256, open parentheses, key file, close parentheses, plus dot dot dot, close parentheses,

20:45.120 --> 20:53.840
in quote, oh man, I don't tell you, that maths. Basically what we're talking about is protection

20:53.840 --> 20:59.680
on top of protection inside of protection with an extra layer of protection for protection.

20:59.760 --> 21:04.400
And that's why you don't hire me to do your, you're talking points for you.

21:04.400 --> 21:10.160
Or maybe you do. I could use a job if it's paying the big bucks, right? Don't expect to get any

21:10.160 --> 21:16.080
work done, but I'll talk about it for you. Here's a nice moment in the details where he decides

21:16.080 --> 21:23.920
to speak English for a few seconds here, quote, entry, an entry of the database usually has at least

21:24.080 --> 21:33.360
these fields, a title, a username, a password, as well as creation time and possible custom fields.

21:33.360 --> 21:39.520
Close quote. Now he starts talking about the possibility of binary attachments

21:39.520 --> 21:45.200
and how the password field is usually protected with something called a random stream,

21:45.200 --> 21:51.840
and then he gets to the scary part, right? This is one of the things that again, put the blanket

21:51.920 --> 21:59.680
over the head, quote, quote. Keep pass xc does not support protect in memory attribute of these entries.

21:59.680 --> 22:04.480
Close quote. So if you only stopped reading here and didn't read anything else,

22:04.480 --> 22:10.320
you would basically run out of your house in fear because you were using keep pass xc.

22:10.320 --> 22:17.040
Fortunately for us, I'm going to keep reading quote, a named entity containing a value,

22:17.040 --> 22:25.520
security can be protected by the protected stream if the protected attribute is set to true.

22:25.520 --> 22:32.800
Passwords are protected by default. This ensures double encrypted at rest using the protected

22:32.800 --> 22:41.200
stream and using the main cipher, close quote. He then goes to explain how this is used to avoid

22:41.280 --> 22:47.600
plain text passwords in the court dump files, so you're safe basically. Now I imagine some

22:47.600 --> 22:54.480
news organization is going to do what I just give a nice little example of pick a scary part

22:54.480 --> 22:59.120
and then tell everybody how it's the end of the world if you were using keep pass xc.

22:59.120 --> 23:08.720
That's if I have already started a new pandemic, a global crisis. And if I have managed to

23:08.720 --> 23:16.800
scare you, please feel free to contact Archer 72 for more information.

23:16.800 --> 23:22.560
Now we're going to that nice part that I like. I love that keep. Well, let me make sure I say this

23:22.560 --> 23:30.800
correctly. I enjoy using keep pass xc. I wanted it to use the ubiquie on Linux natively. There are

23:31.680 --> 23:38.640
extensions, let's say, that you can use to attempt to get this functionality. I chose not

23:38.640 --> 23:44.720
to use that. I chose to use the key file that keep pass xc has native own Linux. You just have to

23:44.720 --> 23:50.080
know how to use it securely as I've mentioned before. So I was eager to get into this part as he goes

23:50.080 --> 23:58.480
into explaining how attacks against the key file can happen. Quote. A key that can be read out

23:58.480 --> 24:06.160
from a secret file and used to open the database. It is an optional mechanism. A user may choose

24:06.160 --> 24:12.880
to use or not to use a file key. The pass phrase will still be needed to open the database.

24:13.600 --> 24:21.920
Security file keys might feature XML structure and be phrased as XML at the same time

24:21.920 --> 24:29.520
they are not authenticated. The user should keep the key file keys confidential and secure.

24:29.520 --> 24:36.000
Free from a malicious manipulation. File keys can be used by the user as a second factor

24:36.160 --> 24:44.480
authentication. E.G. By storing them on a USB flash and presenting the file to someone.

24:44.480 --> 24:51.680
Excuse me. As someone, the user has additionally to the pass phrase that the user knows.

24:51.680 --> 24:57.680
Close Quote. English may not be the first language but let me just let me try to clean it up just a

24:57.680 --> 25:03.760
little bit here. We talk about two factor authentication. Something you have and something you know.

25:03.840 --> 25:09.840
The password and username. Those are something you know. The second form of that authentication

25:09.840 --> 25:16.400
would be something you have. Which would be the key file stored on a USB thumb drive. So the only

25:16.400 --> 25:21.040
way that you're going to be able to authenticate is if you can present that key file. Now again,

25:21.040 --> 25:26.160
you're going to want to also encrypt that thumb drive. It's just an additional layer. And I'm also

25:26.160 --> 25:33.440
going to say that you're going to want to have multiple of those thumb drives with that key file stored

25:33.440 --> 25:40.240
on them. Put one in your fire slash waterproof safe or off-site somewhere in a climate controlled

25:40.240 --> 25:44.560
environment because it is flash. And then you have the other one with you. Like I normally wear

25:44.560 --> 25:49.120
mine on my necklace but because it jingles that took it off for the recording. You know, you have

25:49.120 --> 25:53.520
that thumb drive when they're with the UB keys every time I move around it's clinking a lot. So

25:53.520 --> 25:58.400
yeah, that's what he's talking about here. Now there's another portion down in here when he's

25:58.400 --> 26:07.360
bringing up the database file, the kdbx4 database file. And he mentions something called magic.

26:09.280 --> 26:14.880
I thought there was kind of funny. You know, I figured you ultra nerds out there aren't using

26:14.880 --> 26:20.960
a lot of magic. You just kind of fabricate things into existing using, you know, languages and

26:20.960 --> 26:28.000
in the such. But is there actually like a library or a technique in cryptography? No one is magic.

26:28.000 --> 26:31.760
I'm going to have to look that up. I'll quote it here so that you know what I'm talking about because

26:31.760 --> 26:36.160
it probably you probably wonder what what am I talking about here. You need some more context.

26:36.160 --> 26:44.560
Quote. Kdbx4 files start with signature, which is in its own set of quotes there.

26:44.560 --> 26:50.240
Signature bites is what he's saying but it just the word signatures in quotes. It is not a

26:50.320 --> 27:00.480
cryptographic signature. But two magic four bites. I don't know if that's supposed to stand

27:00.480 --> 27:07.040
for an integer. No, I don't know what it's. And then let me close quote right there because it's

27:07.040 --> 27:13.520
going into super alpha numeric territory. And we don't, you know, we're not going to continue with that.

27:13.600 --> 27:21.120
As well as some more math being done right after that. So let's just move along to something a

27:21.120 --> 27:27.840
little bit more readable here. What he talks about the header. Now the header sounds kind of scary.

27:27.840 --> 27:35.440
Quote header. Same as database header. An unencrypted portion of the database file located in

27:35.440 --> 27:43.440
the beginning of it. Security. The header does not contain any confidential information and is unencrypted.

27:43.840 --> 27:53.760
It is authenticated with HMAC. See data. See database header. Close quote. So as you can tell,

27:53.760 --> 27:59.200
let's start and get a little bit more difficult to read some of this. But we're going to get through it.

27:59.200 --> 28:04.880
Now the header had me a little bit nervous. I was beginning to wonder like, what are they putting in the

28:04.880 --> 28:10.720
header? Are they putting like the notes in the header? Because I have notes stored in my password files.

28:11.280 --> 28:18.960
In my password databases. And those notes contained, you know, keys and other things, right?

28:18.960 --> 28:25.440
You know, when you set up your TLTP and not the key itself for the TLTP and not that. But I mean,

28:25.440 --> 28:32.080
they give you like recovery codes just in case something goes wrong. I mean, I throw those additional

28:32.080 --> 28:42.080
10 recoveries in there and I'm thinking, oh my god. Say it ain't so. Now for a good bit of this report,

28:42.080 --> 28:48.720
we're going to have to unlock our mouse. Our mouse has a feature known as the infinity scroll.

28:48.720 --> 28:55.200
We're going to use infinity scroll now to zoom all the way down on this document if you're wondering

28:55.280 --> 29:03.680
why I'm bringing that up. Because tons of big brain language, maths, alphabet soup,

29:03.680 --> 29:10.880
in general purpose, alphabet numeric nonsense. It's still a great read and I'm poking fun at it.

29:10.880 --> 29:15.200
I'm not saying that's a bad report at all. I'm just having fun. This is my humor coming through

29:15.200 --> 29:21.600
here. But it's not a very podcast friendly document. So I'll just go on to tell you this.

29:21.760 --> 29:30.160
He discusses some attacks and other things on the database file. It gives wonderful insight on these.

29:30.160 --> 29:37.760
But again, you're going to have to read it yourself because it is it's a toughy. Now he also

29:37.760 --> 29:44.880
talks about attacks on availability in here and backing up your keypast XC database file, which

29:44.880 --> 29:52.240
if you may remember, I think during the New Year's Eve show or New Year's Eve poll show,

29:52.240 --> 30:00.640
I was speaking with a gentleman about passwords and password managers. And I believe he discussed

30:00.640 --> 30:05.840
on the show. Or was it another show? Well, I can't remember where it was. But one of the shows that I've

30:05.840 --> 30:12.320
done, a gentleman discussed storing his keypast XC database on I think was Google Drive

30:12.400 --> 30:18.000
so that he can access it from his Android phone as well as his PC. And though I do not,

30:18.000 --> 30:23.840
I don't shine this. You know, it should be safe. I personally don't do it though,

30:23.840 --> 30:30.080
just because it's like extreme paranoia. And these are some points there discussed in this audit

30:30.080 --> 30:38.560
about storing your keypast XC database file. So wonderful information on security practices for the

30:38.560 --> 30:45.600
user, meaning just the old average. Some guy on the internet that wants to use keypast XC. As

30:45.600 --> 30:52.640
well as if you're a big brain alien that speaks C++. I mean, you're going to get a lot from this as

30:52.640 --> 30:58.320
well, at least I assume so because most of it is crazy talk. We got a little bit more English before

30:58.320 --> 31:05.440
we give up here. We move to a section called defensive secure coding. And I know, if I don't know

31:05.520 --> 31:11.040
anything about coding, why in the world would I go to a section called defensive secure coding?

31:11.040 --> 31:18.560
That's because there's at least one spec there I can read. Cool. There are two pillars of

31:18.560 --> 31:26.720
defensive coding really checking the input and the output well and maintaining memory well.

31:26.720 --> 31:32.560
Close quote. Now, I do remember the rust programming language being, you know,

31:32.640 --> 31:39.760
hailed for its memory safe this and that. But black kernel never told us how to write the entire

31:39.760 --> 31:46.320
Linux kernel in rust. So obviously I can't make sense of the statement I just read to you.

31:46.320 --> 31:53.520
In this next section, I really wanted to do more quotes here. The memory protection and deallocation

31:53.600 --> 32:01.280
because this is the true hand-wringing shouting good heavens hoping it turns out okay.

32:01.920 --> 32:09.360
But there's lots of big brain talk going here. So I'm just going to have to sort of paraphrase some of

32:09.360 --> 32:16.000
this. But in his memory dumps, my brain caught me just in time. I was about to say in his dumps.

32:16.000 --> 32:21.680
But, you know, yeah, the careful here with this kind of language, huh? He says that he could not see

32:21.760 --> 32:27.440
any passwords and clear plain text from his dumps. You know, I just tested in the memory and all

32:27.440 --> 32:34.400
of that stuff. I'm trying to exploit the password manager. So no passwords were exposed there.

32:34.400 --> 32:43.680
However, don't, don't, don't. He was able to see parts of the database XML and the dumps

32:43.680 --> 32:55.840
including user names and notes. He also stated it was also possible to see encrypted protected

32:55.840 --> 33:06.000
fields and the format descriptions as well. He mentions that the notes were completely readable.

33:06.080 --> 33:15.600
So notes stored in key pass XC version 2.7.4. If an attacker exploded that memory dump thing,

33:15.600 --> 33:22.320
yeah, your notes are 100% vulnerable. Now there's a non-security professional, you know, I'm not

33:22.320 --> 33:30.000
a, I'm not a cryptographic professional. I don't speak C++ with a dialect of math. So this

33:30.000 --> 33:36.800
sounds super scary and I'm ready to just delete my entire computer with a shotgun and fire.

33:36.800 --> 33:43.280
But that made delay this show. So I can't do that. Instead, I will tell you that he says that some

33:43.280 --> 33:50.480
of these things that sound very terrible and horrifying are actually expected because, quote,

33:50.480 --> 33:56.880
a software that in the end of the day has to provide the user back with information,

33:56.880 --> 34:02.320
the user has stored in the database, close, close, close. So these are things that could be

34:02.320 --> 34:07.760
done better, could be made better, but it's also not the end of the world. Basically, some attackers

34:07.760 --> 34:16.240
already owned your box. So you've got bigger problems than just your C pass XC memory, it dumps,

34:16.240 --> 34:21.520
memory allocation dumps. Now one of the things I'm going to point out here before we start to

34:21.600 --> 34:28.880
wrap this up, down in the networking section of Q pass XC, ZAR mentioned something that, I mean,

34:28.880 --> 34:35.520
I just found out about in another story, not going to mention here, but I didn't know favour

34:35.520 --> 34:45.120
cons had such potential for malicious activity. So he, he gives words of caution when downloading

34:45.200 --> 34:53.440
favour cons. And when did the name change from icons or emojis? Now, yes, to favour cons. That's

34:53.440 --> 34:58.880
another thing. I don't know when these transitions occurred or why. You know, why do we have to have

34:58.880 --> 35:03.520
more words for things we don't need? Like, remember, remember back in the day, used to be called a

35:03.520 --> 35:09.600
PM, but today it's called a DM. You know, used to be a private message now. It's a direct message.

35:09.680 --> 35:16.160
Remember, we used to have programs, and then we had applications, and now we have apps. I'm

35:16.160 --> 35:21.600
pretty sure in another couple of worlds, we would just call them things, you know, we have things

35:22.000 --> 35:29.200
more to the point. Be careful with external information introduced into your password manager,

35:29.200 --> 35:36.880
plug-ins, favour cons, you know, those browser extensions and integration, all of these extend

35:36.960 --> 35:44.480
your attack surface. They're wonderful, especially in situations where accessibility come up,

35:44.480 --> 35:50.400
however, if you can get away without using them, it's for the best. So now he goes into the summer,

35:50.400 --> 35:57.040
he goes into his summary and recommendations to the implementation team. He notes that in his

35:57.040 --> 36:05.360
urgent corrections of high risk vulnerabilities. There are none. Yeah, all that scary stuff that I

36:05.440 --> 36:11.280
blew well out of proportion and possibly gave you a heart attack. Yeah, they're actually none.

36:11.280 --> 36:17.680
It's kind of like that sensational journalism that's happening these days. I'm telling you,

36:17.680 --> 36:24.800
I do a new show on HPR. So when you read tons and tons of news articles, sometimes you can tell

36:24.800 --> 36:30.800
these journalists are just making crap up as they go along, because there's a ton of like non-standard

36:30.880 --> 36:36.400
terms that are being used and you can tell it's just being sensationalized. So it's just a common

36:36.400 --> 36:43.840
weirdo on HPR like myself. I would just, you know, as an example here, I would tell you to be careful

36:43.840 --> 36:52.800
of attackers on the internet, right? Insensational journalism, jettola, insensational journalism,

36:52.960 --> 37:00.720
they would tell you to be careful of cyber gangs and crew in an organization. That's why

37:00.720 --> 37:06.960
kind of I kind of make an effort to try and calm down some of that language, but at the same

37:06.960 --> 37:11.280
time, I also want to make it fun for you. You got to have a little fun when you're reading some

37:11.280 --> 37:16.320
of this stuff. Otherwise, it gets super dry, but I don't want to mix in all of those terms,

37:16.320 --> 37:22.720
like cyber gangs. I mean, seriously? Are you serious? No, we're not using it. Or that one story

37:22.800 --> 37:30.160
they would have Dutch gang, not Dutch gang. The Dutch authorities would be calling it, not

37:30.160 --> 37:35.040
not fishing. I think they called it a fishing or something crazy. Oh, no, no, it wasn't the fishing

37:35.040 --> 37:42.320
thing. Only it was told that tragedy was told. And I think I think told stood for a telephone

37:42.320 --> 37:51.520
oriented attack. I don't know what the deal is to answer, but it was stupid. Pardon me, let's get back

37:51.520 --> 37:58.000
on track here. He mentions that there are some recommended improvements for the Kepass XC

37:58.000 --> 38:05.760
implementation team. And much of it has alphabet soup in it, so I can't really read it, but I will

38:05.760 --> 38:11.920
be linking to it. And you can go over it and allow your eyes to swim in your head as you try to go

38:11.920 --> 38:18.320
over it as I have. But there is one name that he mentioned in here, bump bump bump bump. I got to read

38:18.320 --> 38:23.760
this part out. And for those of you who have listened to the owner news, you're going to catch

38:23.760 --> 38:31.920
this part right here. Let's see if you can catch it. Quote. Detect non-securely set KDF parameters

38:31.920 --> 38:40.480
insist on improving them actively. Warn the user open parentheses? Last pass should be an

38:40.480 --> 38:50.000
example of what happens otherwise? Close, proceed. I could keep a straight face with that.

38:50.880 --> 38:58.240
Desarge slam dunk last pass out here. I'm not going to speculate on it. Actually, I will because

38:58.240 --> 39:06.480
it's funny. Desarge is totally in a classic Michael Jordan from the free throw line slam dunk

39:06.560 --> 39:13.840
on last pass in this in this audit. In a nice little treat at the very end, recommendations

39:13.840 --> 39:20.960
for users. That's right. Even though he forgot to turn off his C++ when he was speaking,

39:20.960 --> 39:29.200
he still offered them to us. Alright folks, the show has come to an end. I know I've attempted to

39:29.200 --> 39:38.480
make this entertaining for you a security review of the key pass XC 2.7.4 security audit.

39:38.480 --> 39:46.240
Now, after that audit, they came out with the 2.7.5 release with a offer these changes

39:46.800 --> 39:52.560
at support for Botan 3 that was one of the security measures that were mentioned. So,

39:52.560 --> 39:58.800
yay Botan 3. Then, if we could just get them to use a sensible name, they also improve the

39:58.800 --> 40:06.400
HTML export layout. So, if you're exporting your passwords into the HTML format for storage,

40:06.400 --> 40:12.960
hopefully on an encrypted medium, the format there is improved. They also improve the look of the

40:12.960 --> 40:19.520
key pass XC 2 logo and icons, which is always great. We like things to look modern as well as

40:19.520 --> 40:26.400
you know, feel modern. So, yep, great. Now, let's move from the changes down into the fixes.

40:26.400 --> 40:34.560
They fixed the TLTP QR code maintaining square ratio, which I never used the QR code. I didn't

40:34.560 --> 40:39.840
even know they had one. So, this is great to learn that they actually have free QR codes in

40:39.840 --> 40:45.280
in key pass XC. Totally got to go play with that now. Probably they were going to use it after

40:45.280 --> 40:50.480
our play with it because I don't trust it. Anything that needs a QR code to authenticate,

40:50.480 --> 40:57.280
you shouldn't trust. Some work done on the SSH agent. Yeah, they fixed the support for the AES

40:57.280 --> 41:04.560
256 slash GCM open SSH keys. So, again, a little bit out of the suit there, but you shouldn't

41:04.560 --> 41:09.040
know what I'm talking about. Your geek, I know you are. You also fixed a few bugs in the preview

41:09.920 --> 41:15.440
and a few other things. Now, I also like to note, I don't see anything in here about that

41:15.440 --> 41:21.920
memory deallocation. You know, again, that the scope was made clear that we're talking about a secure

41:21.920 --> 41:28.320
system. Yes, we are. So, if you're on an insecure system, that's where that would be a problem.

41:28.320 --> 41:34.640
If the attacker had already compromised your your box, you would then be vulnerable to that type of

41:34.640 --> 41:40.880
attack. However, I would like to get some sort of information from Kipass XC about

41:41.520 --> 41:50.480
expectations on seeing some form of patch to, I don't know, limit that, you know, because being

41:50.480 --> 41:59.040
able to just dump from RAM, all of my notes, and other things, just yikes. Another thing I'm

41:59.040 --> 42:05.680
wondering about, if you have that database file on a different system, and you're, you're accessing

42:05.680 --> 42:13.280
it remotely, when you, I'm assuming you're streaming a copy of the file over, like it's downloading

42:13.280 --> 42:19.920
the file, and then you use it on the device to, to, you know, decrypt and access the secrets. I'm

42:19.920 --> 42:26.000
hoping that you're not sending information. You're, you're, I'm saying, like, there isn't just the

42:26.080 --> 42:33.040
stringing of data of you trying to authenticate with that, I'm hoping that's not how it works.

42:33.040 --> 42:39.600
I'll have to ask some questions about that. I'll, uh, send Kipass, the Kipass XC team, some emails,

42:39.600 --> 42:44.880
and hopefully try to get somebody on the show. Wouldn't that be nice? I'm sure there once they're

42:44.880 --> 42:49.840
here that some guy on the internet wants to have a talk with them, record it, and release it

42:49.840 --> 42:54.480
through a bunch of hackers on the internet. They'd, they'd step right up for that, right? I mean,

42:54.480 --> 43:01.040
who wouldn't, but that's all I got time for. After reading all of that math, who? Boy, I need to get

43:01.040 --> 43:08.240
a bite to eat and go lay down, huh? I'll catch you guys in the next episode of Hacker Public Radio,

43:08.240 --> 43:12.640
take it easy. Goodbye, everybody! See you later!

43:15.520 --> 43:21.440
You have been listening to Hacker Public Radio at Hacker Public Radio.org. Today's show was

43:21.440 --> 43:27.440
contributed by a HBR this night like yourself. If you ever thought of recording podcast,

43:27.440 --> 43:35.040
you click on our contributally to find out how easy it means. Posting price VR has been kindly provided

43:35.040 --> 43:42.240
by an onsthost.com, the internet archive and our synced.net. On this otherwise stages,

43:42.240 --> 43:49.280
today's show is released on our creative comments, attribution, 4.0 international license.

43:51.440 --> 43:53.440
you